Anybody else getting openbsc segfaults on IMSI Detach?

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Holger Hans Peter Freyther holger at freyther.de
Fri Dec 14 13:05:47 UTC 2012 

On Thu, Dec 13, 2012 at 10:14:27PM +0100, Tobias Engel wrote:

> It was, but not in msc_compl_l3. It was/is also accessed in
> msc_release_connection, but before calling gsm0808_clear, so that is not
> a problem.

Sorry, I didn't read it carefully enough. I prepared a very simple
testcase and it is crashing the the NITB. I will apply a patch like
the one below and the rule would be that msc_release_connection may
only be called from a timer or from the trans_free command.

The test case is attached to this email.

diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 9816174..fd482e0 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -965,7 +965,6 @@ static int gsm48_rx_mm_imsi_detach_ind(struct gsm_subscriber_connection *co
         * imagine an IMSI DETACH happening during an active call! */
 
        release_anchor(conn);
-       msc_release_connection(conn);
        return 0;
 }

-------------- next part --------------
"
 (C) 2012 by Holger Hans Peter Freyther
 All Rights Reserved

 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.

 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
"

PackageLoader fileInPackage: #FakeBTS.

FakeBTS.OpenBSCTest subclass: IMSIDetach [
    <import: OsmoGSM>

    startTest [
        "1. Connect to the BTS"
        self createAndConnectBTS: '1801/0/0'.
        self testIMSIDetach.
    ]

    testIMSIDetach [
        | lchan detach tmsi |

        tmsi := self allocateTmsi: '901010000001111'.

        "2. Get a LCHAN"
        lchan := self requireAnyChannel.

        "3. Send a IMSI Detach"
        detach := GSM48IMSIDetachInd new.
        detach mi tmsi: tmsi.
        lchan sendGSM: detach toMessage.

        "Wait for the channel to be released.."
        [
            | msg |
            "Read all messages until the end on SAPI=0. Ignore SAPI=3"
            "If we send another SAPI=3 Release Indication we get a double
             RF Channel Release from the NITB."
            [
            msg := GSM48MSG decode: lchan nextSapi0Msg readStream.
            (msg isKindOf: GSM48RRChannelRelease)
                ifTrue: [lchan releaseAllSapis. ^true]
            ] on: Exception do: [Transcript nextPutAll: 'GSM decoding error'; nl.].
        ] repeat.
    ]
]

Eval [
    | test |

    test := IMSIDetach new
                startTest;
                stopBts;
                yourself.
]

More information about the OpenBSC mailing list